[Freeipa-users] IPA 4.4 replica installation failing

2016-11-17 Thread Baird, Josh
Hi all, In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new replica, and I seem to be hitting something similar to #5412 [1]. The 'ipa-replica-install' is getting stuck on: [4/26]: creating installation admin user Dirsrv error logs on the new replica:

Re: [Freeipa-users] Disabling Anonymous Binds (LDAP)

2016-11-17 Thread Brian Candler
On 16/11/2016 16:46, dan.finkelst...@high5games.com wrote: I've seen some discussion in the (distant) past about disabling anonymous binds to the LDAP component of IPA, and I'm wondering if there's a preferred method to do it. Further, are there any known problems with disabling anonymous

[Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin
Hello. This morning I've tried to upgrade my IPA server, but the upgrade failed, and now the service doesn't start! :( If I try lo launch the upgrade manually this is the output: *[root@mlv-ipa01 download]# ipa-server-upgradeUpgrading IPA: [1/8]: saving

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Florence Blanc-Renaud
On 11/17/2016 12:09 PM, Morgan Marodin wrote: Hello. This morning I've tried to upgrade my IPA server, but the upgrade failed, and now the service doesn't start! :( If I try lo launch the upgrade manually this is the output: /[root@mlv-ipa01 download]# ipa-server-upgrade Upgrading IPA:

Re: [Freeipa-users] sssd failed with 'ldap_sasl_bindfailed(-2)[Localerror]'

2016-11-17 Thread Sumit Bose
On Thu, Nov 10, 2016 at 07:19:09PM +0800, Matrix wrote: > Hi, Sumit > > I have checked, and did not find anything more: > > error logs from /var/log/dirsrv/slapd-EXAMPLE-NET/access: > ... > [10/Nov/2016:10:46:58 +] conn=816560 fd=189 slot=189 connection from > 10.2.3.32 to 10.2.1.250 >

Re: [Freeipa-users] Client x.x.xx - RFC 1918 response from Internet in /var/log/messages

2016-11-17 Thread Bjarne Blichfeldt
Excellent - thanks. I was missing some forward statements for a few private segments. Venlig hilsen Bjarne Blichfeldt -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: 16. november 2016 14:36 To:

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

2016-11-17 Thread Rob Crittenden
Sean Hogan wrote: > Hi Jakub, > > I ended up re-enrolling the box and it is behaving as expected except I > am not getting a host cert. Robert indicated auto host cert no longer > avail with rhel 7 but using the --request -cert option on enroll to get > a host cert if I wanted one. I did so and

Re: [Freeipa-users] Disabling Anonymous Binds (LDAP)

2016-11-17 Thread Rob Crittenden
Brian Candler wrote: > On 16/11/2016 16:46, dan.finkelst...@high5games.com wrote: >> I've seen some discussion in the (distant) past about disabling >> anonymous binds to the LDAP component of IPA, and I'm wondering if >> there's a preferred method to do it. Further, are there any known >>

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Rob Crittenden
Morgan Marodin wrote: > Hi Florence. > > Thanks for your support. > > Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all > permissions and certificates are good: > /[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/ > total 184 > -r--r--r-- 1 root root1345 Sep 7 2015 cacert.asc >

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin
Hi Florence. Thanks for your support. Yes, httpd is using /etc/httpd/alias as NSS DB. And seems that all permissions and certificates are good: *[root@mlv-ipa01 ~]# ls -l /etc/httpd/alias/total 184-r--r--r-- 1 root root1345 Sep 7 2015 cacert.asc-rw-rw 1 root apache 65536

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin
Hi. I've tried to delete and reimport only the *Server-Cert* certificate (I've a copy of the original folder). But it happened a strange behaviour: *# certutil -L -d /etc/httpd/alias -n Server-Cert -a > /tmp/Server-Cert.crt# certutil -D -d /etc/httpd/alias -n Server-Cert#

Re: [Freeipa-users] Would fixing hosts file break kerberos

2016-11-17 Thread Robbie Harwood
William Muriithi writes: > I just noticed that I used inappropriate way of setting up my hosts > files and I am planning to make a fix. I am however worried this may > break Kerberos. Should this change be of concern and have anyone made > the changes before? It

[Freeipa-users] Would fixing hosts file break kerberos

2016-11-17 Thread William Muriithi
Afternoon. I just noticed that I used inappropriate way of setting up my hosts files and I am planning to make a fix. I am however worried this may break Kerberos. Should this change be of concern and have anyone made the changes before? My current /etc/hosts are as follows: 192.168.20.2

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Florence Blanc-Renaud
On 11/17/2016 04:51 PM, Morgan Marodin wrote: Hi Rob. I've just tried to remove the group write to the *.db files, but it's not the problem. /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf NSSNickname Server-Cert/ I've tried to run manually /dirsrv.target/ and

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

2016-11-17 Thread Sean Hogan
Hi Robert, No I did not cut it off there was no reason listed.. that was the last line about the issue. I did find this to be my issue however https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat guys see if they can pull the new selinux policy packages as I do not see

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Rob Crittenden
Morgan Marodin wrote: > Hi Rob. > > I've just tried to remove the group write to the *.db files, but it's > not the problem. I didn't expect it to be but you don't want Apache having write access to your certs and keys. > /[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.conf >

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin
Hi. I've upgraded all packages of my distribution, not only ipa packages. There were a lot of packages. *[root@mlv-ipa01 ~]# rpm -q mod_nssmod_nss-1.0.14-7.el7.x86_64* All other checks seem ok: *[root@mlv-ipa01 ~]# certutil -V -u V -d /etc/httpd/alias -n Server-Certcertutil:

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

2016-11-17 Thread Rob Crittenden
Sean Hogan wrote: > Hi Robert, > > No I did not cut it off there was no reason listed.. that was the > last line about the issue. > > I did find this to be my issue however > https://bugzilla.redhat.com/show_bug.cgi?id=1262718 ... having our sat > guys see if they can pull the new selinux

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

2016-11-17 Thread Sean Hogan
Hi Guys.. Sorry to bug ya again.. so looks like the selinux packages are not back ported to 7.1 as I only have selinux-policy-3.13.1-23.el7_1.21.noarch as an option Setting the contexts manually to /etc/ipa/nssdb Original [root@server2 ipa]# ls -dZ nssdb drwxr-xr-x. root root

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

2016-11-17 Thread Morgan Marodin
Hi Rob. I've just tried to remove the group write to the *.db files, but it's not the problem. *[root@mlv-ipa01 ~]# grep NSSNickname /etc/httpd/conf.d/nss.confNSSNickname Server-Cert* I've tried to run manually *dirsrv.target* and *krb5kdc.service*, and it works, services went up. The same for